The error i get - is not a valid value for expression because the use of field cf.worker.upstream_zone is not allowed (Code: 20127)
Though it is probably not the best practice I was trying to rely on the headers, as they are available in the Filters - i was trying to refer the CF-Worker header, but it doesn’t seem to work either
I tried - not(any(http.request.headers.names[*] == "CF-Worker"))
and also not(any(http.request.headers["cf-worker"][*] matches "^.+$"))
Probably because according to the docs (Cloudflare HTTP request headers · Cloudflare Fundamentals docs) it seems like when using rules (they specifically mention WAF rules, but I think it behaves the same here) the CF-Worker header is not set yet and they actually refer to use the cf.worker.upstream_zone parameter
Because it works in this specific use case, but let’s assume i had some regex based replacement - it would be much more complex to implement the filter
A much more native solution will be for example to skip the Transform Rule when the request is made by a worker, so I’m looking for a way to filter it based on the way the request has made (for example localhost Source IP, or something similar), unfortunately the things i’ve tried up until now didn’t work
You may want to have a look at the field cf.worker.upstream_zone.
Identifies whether a request comes from a worker or not.
When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise cf.worker.upstream_zone is empty.
Source: Fields reference · Cloudflare Ruleset Engine docs
The error i get - is not a valid value for expression because the use of field cf.worker.upstream_zone is not allowed (Code: 20127)
Though it is probably not the best practice I was trying to rely on the headers, as they are available in the Filters - i was trying to refer the CF-Worker header, but it doesn’t seem to work either
I tried - not(any(http.request.headers.names[*] == "CF-Worker"))
and also not(any(http.request.headers["cf-worker"][*] matches "^.+$"))
Probably because according to the docs (Cloudflare HTTP request headers · Cloudflare Fundamentals docs) it seems like when using rules (they specifically mention WAF rules, but I think it behaves the same here) the CF-Worker header is not set yet and they actually refer to use the cf.worker.upstream_zone parameter
Do you have any ideas?
It seems like the only way to overcome that is to use the not starts_with and specifically adjust the Filters for every rule we have
As far as Transform Rules go, this worked with me:
http.request.uri.path contains "/teste/"
and not (http.request.headers["cf-worker"][0] eq "example.com")
The headers A-Request and A-Workers are added by the Worker itself, so the rewrite is working without adding the path element twice (or multiple times), as would have been the case since the first condition uses the operator "contains’ and both URLs do contain “/teste/”.
However, it only works because my test worker has as a path /v1/teste/ and the request was made to /teste/. If I visit /v1/teste/ directly, it adds another /v1 before it sends the request to the Worker.
So it all depends on how you set up the paths and routes in your installation. Depending on the complexity of it, you may want to add the rewrite logic to the worker itself.
